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SQTrust:  Social  and  QoS  Trust  Management 
for  Mission-Oriented  Mobile  Groups 

Ing-Ray  Chen,  Fenye  Bao,  and  Jin-Hee  Cho 

Abstract —  We  propose  to  combine  the  notions  of  social  trust  derived  from  social  networks  with 
quality-of-sen/ice  (QoS)  trust  derived  from  communication  networks  to  obtain  a  composite  trust 
metric  as  a  basis  for  evaluating  trust  of  mobile  nodes  in  mobile  ad  hoc  network  (MANET) 
environments.  We  demonstrate  the  effectiveness  of  the  composite  social  and  QoS  trust  management 
protocol  (henceforward  referred  to  as  SQTrust)  for  mission-oriented  mobile  groups  in  MANETs  for 
critical  mission  executions.  SQTrust  is  distributed  in  nature  and  will  be  run  by  each  mobile  node  to 
subjectively  yet  informatively  assess  the  trust  levels  of  other  mobile  nodes  nearby  or  distance  away 
based  on  direct  observations  towards  its  neighbors,  and  indirect  observations  obtained  from 
recommenders.  We  take  a  model-based  approach  to  analyze  both  objective  and  subjective  trust  as 
the  basis  for  fine-tuning  and  validating  SQTrust  so  that  subjective  trust  evaluation  is  close  to 
objective  trust  evaluation.  We  demonstrate  resiliency  of  SQTrust  against  malicious  attacks  and 
identify  the  best  direct  vs.  indirect  evaluation  ratio  as  well  as  the  best  social  trust  vs.  QoS  trust  weight 
ratio  under  which  the  reliability  of  mission-oriented  mobile  groups  in  MANET  environments  is 
maximized. 

Index  Terms —  trust  management,  group  communication  systems,  mobile  ad  hoc  networks,  social 
networks,  model-based  evaluation,  hierarchical  modeling,  Stochastic  Petri  Nets,  reliability. 
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1  Introduction 

he  concept  of  "trust"  originally  derives  from  the 
social  sciences  and  is  defined  as  the  subjective  de¬ 
gree  of  belief  about  the  behaviors  of  a  particular  entity 
[12].  Blaze  et  al.  [7]  first  introduced  the  term  "Trust 
Management"  and  identified  it  as  a  separate  compo¬ 
nent  of  security  services  in  networks  and  clarified  that 
"Trust  management  provides  a  unified  approach  for 
specifying  and  interpreting  security  policies,  creden¬ 
tials,  and  relationships."  Trust  management  in  MA¬ 
NETs  is  needed  when  participating  nodes,  without 
any  previous  interactions,  desire  to  establish  a  net¬ 
work  with  an  acceptable  level  of  trust  relationships 
among  them,  for  example,  for  coalition  operation 
without  predefined  trust.  Thus,  the  concept  of  trust  is 
attractive  to  communication  and  network  protocol 
designers  where  trust  relationships  among  participat¬ 
ing  nodes  are  critical  to  building  collaborative  envi¬ 
ronments  to  achieve  system  optimization.  Many  re¬ 
searchers  in  the  networking  and  communication  field 
have  defined  trust  differently  such  as  "a  set  of  rela¬ 
tions  in  protocol  running"  [16],  "a  belief  on  reliability, 
dependability,  or  security"  [19],  "a  belief  about  com¬ 
petence  or  honesty  in  a  specific  context"  [3],  and  "re- 
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liability,  timeliness,  and  integrity  of  message  delivery" 

[20] 

There  is  yet  consensus  about  what  should  be  meas¬ 
ured  to  evaluate  trust  management  systems.  Golbeck 
[15]  introduced  the  concept  of  social  trust  by  suggest¬ 
ing  the  use  of  social  networks  as  a  bridge  to  build 
trust  relationships  among  entities.  Yu  et  al.  [28]  used 
social  networks  to  evaluate  trust  values  in  the  pres¬ 
ence  of  Sybil  attacks.  Standard  performance  metrics 
such  as  control  packet  overhead,  throughput,  good- 
put,  packet  dropping  rate  and  delay  have  been  used 
to  evaluate  trust  [14],  [24],  [27].  Dependability  metrics 
such  as  availability  [17],  convergence  time  to  reach  a 
steady  state  in  trustworthiness  for  all  participating 
nodes  [6],  percentage  of  malicious  nodes  [8],  and  fault 
tolerance  based  on  reputation  thresholds  [21]  also 
have  been  employed.  The  use  of  a  "trust  level"  to  as¬ 
sociate  with  a  node  has  received  attention  recently, 
considering  general  attributes  such  as  confidence  [29], 
trust  level  [25],  trustworthiness  [21],  and  opinion  [26]. 

Trust  management  is  often  used  with  different 
purposes  in  diverse  decision  making  situations  such 
as  secure  routing  [5],  [14],  [24],  [25],  [27],  [29],  key 
management  [9],  [17],  authentication  [23],  access  con¬ 
trol  [1],  and  intrusion  detection  [2].  Further,  general 
trust  or  reputation  evaluation  schemes  have  also  been 
proposed  with  a  variety  of  approaches  such  as  semir¬ 
ings  [26],  graph/random  theory  [6],  Markov  chain  [9], 
etc.  For  more  details  on  trust  management  in  MA- 
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NETs,  the  interested  readers  are  referred  to  our  very 
recent  survey  paper  [10] 

In  this  work,  we  concern  the  trust  level  of  a  node  as 
perceived  by  another  node.  However,  instead  of  con¬ 
sidering  just  one  particular  trust  attribute,  we  consider 
multiple  trust  attributes  drawing  from  social  trust  and 
QoS  trust  to  form  a  composite  social  and  QoS  trust 
metric.  More  specifically  our  proposed  social  and  QoS 
trust  management  protocol  (henceforth  called 
SQTrust)  is  capable  of  incorporating  social  trust  me¬ 
trics  including  friendship,  honesty,  privacy,  similarity, 
betweenness  centrality,  and  social  ties  [13],  as  well  as 
QoS  trust  metrics  including  competence,  cooperation, 
reliability,  and  task  satisfaction,  for  trust  management 
of  mobile  groups  in  MANET  environments.  Further, 
we  take  a  model-based  approach  and  develop  a  ma¬ 
thematical  model  based  on  Stochastic  Petri  net  (SPN) 
techniques  to  define  a  mission-oriented  mobile  group 
consisting  of  a  large  number  of  mobile  nodes  de¬ 
signed  to  achieve  missions  in  the  presence  of  mali¬ 
cious,  erroneous,  partly  trusted  and  uncertain  infor¬ 
mation.  The  SPN  provides  a  global  view  of  the  system 
and  can  serve  as  the  basis  for  objective  trust  evaluation 
based  on  global  knowledge  of  actual  node  status 
against  which  subjective  trust  evaluation  can  be  com¬ 
pared  and  validated 

This  paper  has  the  following  contributions:  First, 
we  develop  a  new  trust  management  protocol 
(SQTrust)  based  on  composite  social  and  QoS  trust, 
with  the  goal  to  yield  peer-to-peer  subjective  trust  eval¬ 
uation.  Second,  we  propose  a  model-based  evaluation 
technique  for  validating  SQTrust  based  on  the  concept 
of  objective  trust  evaluation  which  utilizes  full  global 
knowledge  to  yield  idealistic  trust  values  against 
which  subjective  trust  values  obtained  from  SQTrust 
are  compared  for  validation.  Our  analysis  methodolo¬ 
gy  hinges  on  the  use  of  a  SPN  mathematical  model  for 
describing  the  "actual"  dynamic  behaviors  of  nodes  in 
MANETs  in  the  presence  of  behaved,  selfish  and  ma¬ 
licious  nodes,  as  well  as  an  intrusion  detection  system 
(IDS)  for  detecting  and  removing  malicious  nodes. 
The  SPN  model  allows  us  to  analytically  determine 
objective  trust,  leveraging  on  the  global  knowledge  on 
actual  node  status  which  evolves  dynamically.  With 
this  methodology,  we  demonstrate  that  SQTrust  is 
capable  of  providing  valid  trust  evaluation  results 
close  to  those  obtained  from  objective  trust  evaluation 
based  on  global  knowledge  and  actual  node  status. 
Finally,  we  analyze  the  effect  of  SQTrust  on  the  relia¬ 
bility  of  a  mission-oriented  mobile  group  considering 
the  intrinsic  relationship  between  trust  and  reliability 
for  critical  mission  executions  by  the  mobile  group. 

The  rest  of  the  paper  is  organized  as  follows.  Sec¬ 
tion  2  describes  the  system  model  and  assumptions. 
Section  3  explains  SQTrust  executed  by  each  node  to 
perform  peer-to-peer  subjective  trust  evaluation  dy¬ 
namically.  Section  4  develops  a  performance  model  to 
describe  dynamic  behaviors  of  nodes  in  MANETs  in 


the  presence  of  behaved,  selfish  and  malicious  nodes 
and  IDS  with  the  objective  to  validate  subjective  trust 
evaluation  with  objective  trust  evaluation.  Section  5 
presents  quantitative  results  obtained  with  physical 
interpretations  given.  Section  6  examines  the  effect  of 
trust  management  on  the  reliability  of  mission- 
oriented  mobile  groups  with  an  application  scenario 
involving  a  commander  node  dynamically  selecting  a 
number  of  nodes  it  trusts  the  most  for  mission  execu¬ 
tion  to  demonstrate  the  applicability  of  SQTrust.  Fi¬ 
nally,  Section  7  summarizes  the  paper  and  outlines 
future  research  areas. 

2  System  Model 

There  is  no  centralized  trusted  authority.  Nodes 
communicate  through  multi-hops.  Every  node  may 
have  a  different  level  of  energy  and  speed  reflecting 
node  heterogeneity.  Some  nodes  may  behave  selfishly 
in  order  to  save  their  own  energy  particularly  when 
they  have  low  energy.  Further,  nodes  can  be  compro¬ 
mised.  The  energy  level  of  a  node  is  related  with  the 
speed  at  which  the  node  may  be  compromised.  That 
is,  a  node  is  more  likely  to  be  compromised  when  it 
has  low  energy  and  vice  versa  since  a  node  with  high 
energy  may  be  more  capable  of  defending  itself 
against  attackers  by  performing  energy-consuming 
defense  mechanisms.  To  deal  with  inside  attackers, 
the  system  employs  a  distributed  intrusion  detection 
system  (IDS)  such  as  one  described  in  [11]  for  detect¬ 
ing  compromised  nodes.  As  soon  as  a  compromised 
node  is  detected  by  IDS,  the  node  is  evicted  from  the 
system  and  the  trust  value  of  the  node  drops  to  the 
lowest  level.  The  distributed  IDS  is  characterized  by 
false  positive  and  false  negative  probabilities  for 
which  less  than  1%  is  deemed  acceptable.  The  energy 
level  of  each  node  is  adjusted  depending  on  its  status. 
For  example,  if  a  node  becomes  selfish,  the  speed  of 
energy  consumption  is  slowed  down  and  vice  versa.  If 
a  node  becomes  compromised  but  not  detected  by 
IDS,  the  speed  of  energy  consumption  would  grow 
since  the  node  may  have  a  chance  to  perform  attacks 
which  may  consume  more  energy. 

Our  system  model  also  considers  redemption  pos¬ 
sibilities  for  selfish  nodes.  That  is,  upon  learning  sta¬ 
tus  of  neighbor  nodes  through  periodic  trust  evalua¬ 
tion,  a  selfish  node  can  go  back  to  normal  or  continue 
being  selfish  depending  on  their  own  energy  level.  For 
a  mobile  group,  when  a  node  is  not  a  member,  it  will 
not  consume  energy  as  much  as  when  it  is  a  member. 
Upon  every  membership  change  due  to  join  or  leave 
or  eviction,  individual  rekeying  (meaning  the  rekey 
operation  is  done  immediately)  will  be  performed 
based  on  a  distributed  key  agreement  protocol  such  as 
the  Group  Diffie-Hellman  (GDH)  protocol.  We  as¬ 
sume  that  a  node's  trust  value  is  assessed  based  on 
direct  and  indirect  information  incorporating  direct 
observations  and  recommendations.  The  trust  assess- 


mcnt  of  one  node  toward  another  node  is  updated 
periodically. 

Trust  Metric  Model  -  A  node's  trust  value  is  as¬ 
sessed  based  on  direct  observations  as  well  as  indirect 
recommendations.  We  do  not  consider  dispositional 
belief  or  cognitive  characteristics  of  an  entity  in  deriv¬ 
ing  trust.  Our  trust  metric  consists  of  two  trust  types: 
social  trust  and  QoS  trust.  Social  trust  is  evaluated 
through  social  networks  to  account  for  social  relation¬ 
ships.  Among  the  many  social  trust  metrics  such  as 
friendship,  honesty,  privacy,  similarity,  betweenness 
centrality,  and  social  ties  [13],  we  select  social  ties 
(measured  by  intimacy)  and  honesty  (measured  by 
healthiness)  to  measure  the  social  trust  level  of  a  node 
as  these  are  considered  to  represent  the  important  as¬ 
pects  of  social  trust  in  MANETs  [10].  QoS  trust  is  eva¬ 
luated  through  the  communication  and  information 
networks  by  the  capability  of  a  node  to  complete  a  mis¬ 
sion  assigned.  Among  the  many  QoS  metrics  such  as 
competence,  cooperation,  reliability,  and  task  perfor¬ 
mance,  we  select  competence  (measured  by  energy) 
and  cooperation  (measured  by  unselfishness  for  pack¬ 
et  delivery)  to  measure  the  QoS  trust  level  of  a  node. 
Quantitatively,  let  a  node's  trust  level  toward  another 
node  be  a  real  number  in  the  range  of  [0,  1],  with  1 
indicating  complete  trust,  0.5  ignorance,  and  0  com¬ 
plete  distrust.  Let  a  node's  trust  level  toward  another 
node's  particular  trust  component  also  be  in  the  range 
of  [0, 1]  with  the  same  physical  meaning.  To  allow  the 
system  designer  to  assign  weights  to  different  trust 
components,  we  use  a  weight  ratio  between  these  four 
trust  components  as  vvt:  w2:  w3:  w4  to  reflect  their  de¬ 
sirable  degrees  in  mission  execution,  denoting  the  ef¬ 
fect  of  intimacy:  healthiness:  energy:  unselfishness  on 
the  overall  trust.  One  goal  of  this  paper  is  to  identify 
the  effects  of  these  weights,  when  given  a  mission- 
oriented  mobile  group  characterized  by  a  set  of  design 
parameter  values  reflecting  the  unique  characteristics 
of  MANET  environments. 

The  rationale  of  selecting  these  social  and  QoS  trust 
metrics  is  given  as  follows.  The  intimacy  component 
(for  measuring  social  ties)  has  a  lot  to  do  with  if  two 
nodes  are  close  to  each  other  and  have  a  lot  of  interac¬ 
tion  experiences  with  each  other,  for  example,  for 
packet  routing  and  forwarding.  In  MANET  environ¬ 
ments  due  to  node  mobility  and  grouping,  intimacy  is 
invariably  related  to  the  probability  of  two  nodes  be¬ 
ing  physically  close  to  each  other  engaging  in  packet 
routing  and  forwarding  activities.  The  healthiness 
component  (for  measuring  honesty)  is  essentially  a 
belief  of  whether  a  node  is  malicious  or  not.  We  relate 
it  to  the  probability  that  a  node  is  not  compromised.  A 
compromised  node  may  perform  fake  information 
dissemination  (e.g.,  good-mouthing  for  bad  nodes  and 
bad-mouthing  attacks  against  good  nodes),  identity 
attacks  (e.g.,  Sybil,  masquerading)  or  Denial-of- 
Service  (DoS)  attacks  (e.g.,  consuming  resources  un¬ 
necessarily  by  disseminating  bogus  packets).  With  the 


3 

presence  of  IDS  which  detects  and  announces  mali¬ 
cious  nodes  in  the  system,  each  node  can  use  this  in¬ 
formation  to  help  with  the  assessment  of  healthiness 
of  another  node.  We  assume  that  a  malicious  node 
will  always  perform  attacks  on  good  nodes  and  does 
not  discriminate  good  nodes  when  performing  at¬ 
tacks.  The  energy  component  refers  to  the  residual 
energy  of  a  node,  and  for  a  MANET  environment, 
energy  is  directly  related  to  the  ability  of  a  node  to  be 
able  to  execute  a  task  competently.  Finally  the  unsel¬ 
fishness  (cooperation)  component  of  a  node  is  related 
to  whether  the  node  is  cooperative  in  routing  and 
forwarding  packets.  For  mobile  groups,  we  relate  it  to 
the  probability  of  a  node  being  able  to  faithfully  relay 
and  respond  to  group  communication  packets. 

Referral  Trust  vs.  Functional  Trust  -  We  differen¬ 
tiate  referral  trust  from  functional  trust  [18].  When  a 
recommender  node,  say,  node  m,  provides  its  recom¬ 
mendation  to  node  x  for  evaluating  node  ;,  node  i' s 
referral  trust  on  node  m  is  multiplied  with  node  tit's 
functional  trust  on  node  j  to  yield  node  m's  recom¬ 
mending  trust  value  toward  node;  to  account  for  trust 
decay  in  time  and  space.  Other  than  the  healthiness 
trust  component,  we  assert  that  a  node  can  have  fairly 
accurate  trust  assessments  toward  its  1-hop  neighbors 
utilizing  monitoring,  overhearing  and  snooping  tech¬ 
niques.  For  example,  a  node  can  monitor  interaction 
experiences  with  a  target  node  within  radio  range, 
and  can  overhear  the  transmission  power  and  packet 
forwarding  activities  performed  by  the  target  node 
over  a  trust  evaluation  window  At  to  assess  the  target 
node's  intimacy,  energy  and  unselfishness  status.  For 
a  target  node  more  than  1-hop  away,  a  node  will  refer 
to  a  set  of  recommenders  for  its  trust  toward  the  re¬ 
mote  target  node. 

Attack  Models  -  A  malicious  node  may  perform 
good-mouthing  and  bad-mouthing  attacks.  Further  it 
may  perform  whitewashing  attacks,  e.g.,  reporting 
false  information  about  itself  to  improve  its  trust  sta¬ 
tus.  SQTrust  is  based  on  monitoring,  snooping  and 
overhearing  for  direct  observations,  and  referral  trust 
for  indirect  observations.  It  does  not  take  information 
passed  to  it  from  a  neighbor  node  as  part  of  its  trust 
evaluation  process  toward  the  neighbor  node,  so  it  is 
resilient  to  whitewashing  attacks.  It  is  resilient  to 
good-mouthing  and  bad-mouthing  attacks  by  weight¬ 
ing  indirect  recommendations  by  the  recommender's 
referral  trust.  Thus  if  a  bad  node  (while  performing  a 
good-mouthing  attack)  provides  a  good  recommenda¬ 
tion  about  a  bad  node,  the  good  recommendation  will 
be  discounted  by  the  recommender's  bad  referral 
trust.  This  is  further  assured  by  choosing  only  1-hop 
neighbors  as  recommenders  in  SQTrust  because  a 
node  can  have  fairly  accurate  trust  assessments  to¬ 
ward  its  one-hop  neighbors  in  intimacy,  energy  and 
unselfishness  status.  Our  approach  of  showing  resi¬ 
liency  against  good-mouthing  and  bad-mouthing  at¬ 
tacks  by  malicious  nodes  is  model-based,  that  is, 
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through  a  mathematical  model  (introduced  in  Section 
4)  we  show  quantitatively  that  subjective  trust  evalua¬ 
tion  results  obtained  from  SQTrust  are  close  to  objec¬ 
tive  evaluation  results  obtained  from  actual  know¬ 
ledge. 

Mission  Reliability  Model  -  SQTrust  aims  to  in¬ 
crease  the  probability  of  successful  mission  execution. 
For  mission-critical  applications,  it  is  also  frequently 
required  that  nodes  on  a  mission  must  have  a  mini¬ 
mum  degree  of  trust  for  the  mission  to  have  a  reason¬ 
able  chance  of  success.  On  the  one  hand,  a  mission 
may  require  a  sufficient  number  of  nodes  to  collabo¬ 
rate.  On  the  other  hand,  the  trust  relationship  may 
fade  away  between  nodes  both  temporarily  and  spa¬ 
tially.  SQTrust  equips  each  node  with  the  ability  to 
subjectively  assess  the  trust  levels  of  other  nodes  in 
the  system  and  thus  upon  a  mission  assignment  al¬ 
lows  the  node  to  select  highly  trustable  nodes  for  col¬ 
laboration  to  maximize  the  probability  of  successful 
mission  execution. 

3  Design  of  SQT rust 

SQTrust  is  designed  to  be  executed  by  every  node  at 
runtime.  The  trust  value  of  node  j  as  evaluated  by 
node  i  at  time  t,  denoted  as  Ti;(t),  is  computed  by 
node  i  as  a  weighted  average  of  intimacy,  healthiness, 
energy,  and  unselfishness  trust  components.  Specifi¬ 
cally  node  i  will  compute  T*  y (t)  by: 
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Equation  1  can  be  calculated  by  the  weighted  average 

of  jik-hopMalthy^  j,  k-hop, energy 

and  T^."hop,un5C^lsh(t)  respectively,  conditioning  on 
nodes  i  and  j  are  being  k-hop  apart,  for  example,  by: 
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where  kmax  is  the  maximum  number  of  hops  that  can 
possibly  separate  any  two  nodes  as  bounded  by  the 
physical  operational  area.  These  conditional  terms, 
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computed  by  a  weighted  average  of  direct  observa¬ 
tions  of  node  t  itself  toward  node  j  (when  k- 1)  or  self¬ 
information  (when  A>1)  versus  indirect  information 
obtained  from  recommenders.  As  an  example, 
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TtJ(t)  =  Wl  T(‘jntimacy(c)  +  w2  Tyatthy(t) 

+  w3  T™ergy{t)  +  w4  T™tlfis\t)  0) 

where  7#“macy(t),  Tthjealthy(t),  T™er9y(t)  and 
7 .unselfish^  are  the  trust  beliefs  of  node  i  toward  node 

j  in  intimacy,  healthiness,  energy  and  unselfishness 
trust  components,  respectively,  and  wl:  w2\  vv3:  vv4  is 
the  weight  ratio  for  weighing  intimacy:  healthiness: 
energy:  unselfishness  with  wx  -I-  w2  +  vv3  -I-  vv4  =  1  . 
While  we  do  not  know  exactly  where  a  node  is  at  time 
t ,  we  might  have  knowledge  about  the  probability  of 
its  location  given  the  mobility  pattern  of  the  mobile 
node  especially  for  group  operations.  Let  the  probabil¬ 
ity  that  node  j  being  located  in  area  q  be  (t).  Let 

the  probability  that  node  i  and  node  j  are  k-hop  apart 
at  time  t  be  P^~hop(t)  given  by: 

pyhop(t)  =  £  (2) 

(p.q)eU 

where  U  is  a  set  covering  all  (p ,  q)  pairs  with  the  dis¬ 
tance  between  p  and  q  being  k- hops.  We  propose  to 
use  a  simple  mathematical  model  based  on  SPN  tech¬ 
niques  to  yield  these  probabilities.  Now 


In  Equation  4,  ft  is  a  weight  parameter  to  weigh  node 
i's  own  information  toward  node  j' s  unselfish  assess¬ 
ment  at  time  t,  i.e.,  "direct  observations"  (when  k= 1) 
or  "self-information"  (when  k>l)  and  ft  is  a  weight 
parameter  to  weigh  indirect  information  from  re¬ 
commenders,  i.e.,  "information  from  others,"  with 

ft  +  ft  —  T 

Tk-nop,  direct,  unselfish (f)  fa  Equatjon  4  js  defined 

j, k-hop.  direct,  unself ish^^ 

Tl-nop.  direct,  unselfish  (f)  ,ffc  =  j  (J) 

Tk-h°p,  »nselflsh{t_uy]fk>1 

In  Equation  5,  if  node  i  is  within  one-hop  of  node  j, 
i.e.,  k= 1,  it  can  use  its  own  direct  observations  ob¬ 
tained  through  monitoring  overhearing  and  snooping 
to  assess  node  j.  We  will  explain  how  to 
late  Tl~hov-  diTect ■  un“"fah(t)  in  Section  4.  If  k>l,  node 
i  will  use  its  belief  in  node  j  in  unselfishness  as  eva¬ 
luated  at  t-At,  corresponding  to  the  belief  of  node  i 
toward  node  j  based  on  past  interaction  experiences 
prior  to  time  t,  as  the  basis  of  direct  observations  for 
node  i  to  further  evaluate  node  j  at  time  t.  Essentially, 
this  self  information  is  just  the  trust  component  prob¬ 
ability  of  node  j  as  evaluated  by  node  i  at  t-At  where 
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At  is  the  trust  evaluation  window. 

Tk-h0V  indirect.  unsciflsH^  ^  Equation  4  js  defincd 

as: 


rpk-hop,  Indirect,  unself  ish 
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j,(m,j)-hop,  unself ish  ^ 
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In  Equation  6,  m  is  a  recommender  and  the  notation 
(i,  m)-hop  refers  to  the  number  of  hops  separating 
node  i  from  node  m,  such  that  (/,  m)-hop  +  hop  = 
(i,  j)- hop  =  k,  and  V  is  a  set  including  the  ids  of  nr  re¬ 
commender  nodes  chosen  by  node  i  for  evaluating 
node  j.  These  recommender  nodes  may  be  just  1-hop 
away  from  node  i  or  up  to  k  hops  away  from  node  i 
but  they  form  the  set  for  which  node  i  trusts  the  most. 
In  practice,  V  may  cover  just  1-hop  neighbors  of  node 
i  since  node  i  may  trust  its  one-hop  neighbors  the 
most.  When  a  recommender  node,  say,  node  m,  pro¬ 
vides  its  recommendation  to  node  i  for  evaluating 
node  j  (functional  trust),  node  i's  trust  on  node  m  (re¬ 
ferral  trust)  is  also  taken  into  consideration  in  the  cal¬ 
culation  as  reflected  in  the  product  term  on  the  right 
hand  side  of  Equation  6.  This  models  the  decay  of 
trust  as  the  trust  space  increases. 

An  interesting  metric  is  the  average  "subjective" 
unselfish  trust  probability  of  node  j  at  time  t, 
^unselfish ^  as  eva]uatecj  by  a\\  active  nodes  in  the 

system.  It  can  be  calculated  by  a  weighted  average  of 
unselfishness  trust  beliefs  from  all  nodes,  i.e., 


unselfish 


(0  = 


sail  i 


(7) 


We  can  follow  the  same  formulation  to  compute 
the  average  subjective  trust  probabilities  of  the  other 
three  trust  components,  i.e.,  Tjintlmacy(t),  Tjhealthy (t), 
and  T*ner9y(t).  Another  metric  of  interest  is  the  over¬ 
all  average  trust  level  of  node  j,  denoted  by 
TjSQTru^  (t),  as  evaluated  by  all  active  nodes.  Follow¬ 
ing  Equation  1,  TjSQTrust  (t)  can  be  calculated  by: 


5Qrru,t(t)=g^iV5.)  (9) 

Lalli 1 

In  this  paper,  we  compare  TjSQTrust(t)  with  the  "ob¬ 
jective"  trust  of  a  node  which  is  calculated  based  on 
actual,  global  information  of  each  node  to  see  how 
much  subjective  trust  evaluation  is  from  objective 
trust  evaluation.  Such  objective  trust  calculations  can 
be  obtained  by  a  mathematical  model  (see  Section  4 
below)  that  describes  the  global  behavior  exactly  so 
we  may  ideally  calculate  the  objective  trust  levels  of 
nodes  in  the  system  based  on  the  global  knowledge. 
This  serves  as  the  basis  for  validating  SQTrust. 

Trust  Management  vs .  Reliability  Assessment  - 
We  can  use  T?QTrust(t)  as  an  indicator  to  know  if  node 
j  satisfies  the  minimum  trust  threshold  set  for  a  mis¬ 
sion  execution.  More  importantly,  we  could  obtain  the 
mission  success  probability  (as  a  reliability  metric)  if 
the  application  provides  some  knowledge  regarding 
the  "minimum  trust  level"  and  "drop  dead  trust  lev¬ 
el"  for  successful  mission  execution  and  the  amount  of 
time  taken  for  mission  completion  if  a  particular  node, 
along  with  other  trusted  nodes,  is  assigned  with  the 
mission  execution.  We  consider  a  mission  application 
for  which  there  are  two  trust  thresholds:  Mi  is  a  min¬ 
imum  trust  level  required  for  successful  mission  com¬ 
pletion  and  M2  is  a  drop  dead  trust  level  for  the  sys¬ 
tem  to  fail  TR  is  the  deadline  for  completion  for  this 
mission.  Suppose  we  have  knowledge  regarding  the 
time  to  complete  the  mission,  i.e.,  g(t)  is  the  probabili¬ 
ty  density  function  of  the  mission  execution  time  (e.g., 
a  uniform  distribution  from  0  to  TR).  Note  that  TR, 
Mi,  and  M2  can  be  determined  based  on  system  re¬ 
quirements.  Let  /?(t)  be  the  system  reliability  at  time  t. 
Then  the  mission  success  probability,  denoted  by 
P 'mission /  is  simply  the  expected  system  reliability  con¬ 
ditioning  on  the  mission  execution  time,  i.e., 

Jr  77? 

R(t)*g(t)dt  (10) 

0 

where  R(t)  is  zero  if  t  >  TR.  For  the  special  case  in 
which  a  system  failure  occurs  when  node  j  fails,  R(t)  is 
equal  to  Rj(t),  which  can  be  calculated  by: 


TSQTrust(t)  =  Wi  ^intimacy  ^  +  ^  ^ealthy^ 


+  W3Tjener9y(t ) 

+  W4  T/nSe‘/“'l(t) 


(8) 


Alternatively  once  we  obtain  Ti;  (t)  from  Equation 


1,  7js<2rru5C(t)  can  be  computed  by: 


(  0,  if  Xj(t')  =  0  for  any  t'  <  t 
{E[Xj(t')),t’<t,  otherwise 


where  = 
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<  0,  ifTj5QTrust(t')<M2 
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Here  t'  <  t,  is  the  instantaneous  trust  degree  of 

nodes  j  at  time  f.  One  can  see  that  the  knowledge  of 
jSQTrust ^  jg  very  desirable  for  computing  PmiSSion 
once  we  are  given  knowledge  regarding  mission  ex¬ 
ecution  time  distribution,  definition  of  system  failure 
based  on  trust  (e.g.,  a  condition  is  when  a  majority  of 
nodes  have  trust  fall  below  M2)  and  the  trust  require¬ 
ments  for  successful  mission  execution. 


4  Performance  Model 

Our  analysis  methodology  is  model-based  and  hinges 
on  the  use  of  a  Stochastic  Petri  net  (SPN)  mathemati¬ 
cal  model  for  describing  "actual"  dynamic  behaviors 
of  nodes  in  MANETs  in  the  presence  of  behaved,  sel¬ 
fish  and  malicious  nodes,  as  well  as  IDS  for  detecting 
malicious  nodes.  The  SPN  outputs  can  provide  a 
global  view  of  the  system  and  can  serve  as  the  basis 
for  "objective"  trust  evaluation.  Our  goal  is  to  com¬ 
pare  "subjective"  trust  versus  "objective"  trust  ob¬ 
tained  through  SQTrust  to  provide  a  sound  theoretical 
basis  for  guiding  the  algorithm  design  for  SQTrust. 
Once  the  subjective  trust  is  proven  close  to  the  objec¬ 
tive  trust,  we  make  use  of  the  resulting  SPN  model 
outputs  to  compute  the  mission  success  probability 
( Pmisston  in  Equation  10)  when  given  knowledge  re¬ 
garding  the  mission  execution  time  distribution,  the 
definition  of  system  failure  based  on  trust,  and  the 
trust  requirements  for  successful  mission  execution 
for  mission  critical  applications. 
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Figure  1:  Node  SPN  Model. 


Analytical  Modeling  based  on  SPN  -  We  develop  a 
node  SPN  model  as  shown  in  Figure  1  for  describing 
the  behavior  of  a  mobile  node  in  the  system.  The  node 
SPN  model  describes  a  single  node's  lifetime  in  the 
presence  of  other  selfish  and  malicious  nodes,  as  well 
as  IDS  for  detecting  inside  attackers.  It  is  used  to  ob¬ 
tain  a  single  node's  information  (e.g.,  intimacy,  heal¬ 
thiness,  energy,  and  unselfishness)  and  to  derive  the 
trust  relationship  with  other  nodes  in  the  system.  It 
also  captures  location  information  of  a  node  as  a  func¬ 


tion  of  time. 

Below  we  explain  how  we  construct  the  node  SPN 
model  for  describing  a  node's  lifetime  in  terms  of  its 
location,  energy  level,  membership,  degree  of  healthi¬ 
ness  (e.g.,  whether  or  not  a  node  is  compromised 
or/ and  detected  by  IDS),  and  degree  of  selfishness. 

Location:  Transition  T_LOCATION  is  triggered 
when  the  node  moves  to  a  randomly  selected  area  out 
of  four  different  directions  from  its  current  location 
with  the  rate  calculated  as  Sinit/R  based  on  an  initial 
speed  (Smt/)  and  wireless  radio  range  (R).  Depending 
on  the  randomly  selected  location,  the  number  of  to¬ 
kens  in  place  Location  is  adjusted.  Without  loss  of  ge¬ 
nerality,  we  consider  a  square-shaped  operational  re¬ 
gion  consisting  of  M*M  sub-grid  areas  each  with  the 
width  and  height  equal  to  R.  Initially  for  simplicity 
nodes  are  randomly  distributed  over  the  operational 
area  based  on  uniform  distribution.  A  node  randomly 
moves  to  one  of  four  locations  in  four  directions  (i.e., 
north,  west,  south,  and  east)  in  accordance  with  its 
mobility  rate.  To  avoid  end-effects,  movement  is 
wrapped  around  (i.e.,  a  torus  is  assumed).  The  node 
SPN  model  produces  the  probability  that  a  node  is  at 
a  particular  location  at  time  f,  for  example,  the  proba¬ 
bility  that  node  i  is  located  in  area  j  at  time  t.  This  in¬ 
formation  along  with  the  location  information  of  other 
nodes  at  time  t  provides  the  information  to  a  node 
about  its  k- hop  neighbors  at  time  f,  which  is  important 
for  measuring  trust  among  peers. 

Intimacy:  A  node  is  intimate  to  another  node  when 
they  have  a  lot  of  interaction  experiences.  In  MANET 
environments  because  of  node  mobility,  two  nodes 
interact  with  each  other  when  they  are  physically 
close  by  each  other  particularly  in  packet  routing  and 
forwarding.  Thus  intimacy  can  be  modeled  by  the 
time-averaged  probability  that  two  nodes  are  physi¬ 
cally  close  by  each  other  within  radio  range  over  [t- 
dAt,  t],  thus  modeling  past  but  recent  interaction  ex¬ 
periences.  Since  the  node  SPN  model  for  a  node  gives 
us  the  probability  that  the  node  is  in  a  particular  loca¬ 
tion  at  time  t,  we  can  easily  compute  this  time- 
averaged  probability  that  two  nodes  are  physically 
close  by  each  other  over  [t-dAtf  t]  from  the  two  node 
SPN  models  associated  with  the  two  nodes.  Here  d  is 
a  design  parameter  specifying  the  extent  to  which  re¬ 
cent  interaction  experiences  would  contribute  to  inti¬ 
macy.  We  can  go  back  as  far  as  t= 0,  that  is,  d-t/ At,  if 
all  interaction  experiences  are  considered  equally  im¬ 
portant. 

Energy  Place  Energy  represents  the  current  energy 
level  of  a  node.  An  initial  energy  level  of  each  node  is 
assigned  according  to  node  heterogeneity  informa¬ 
tion.  We  randomly  generate  a  number  between  12  to 
24  hours  based  on  uniform  distribution,  representing 
a  node's  initial  energy  level  Eimt.  Then  we  put  into 
place  Energy  a  number  of  tokens  corresponding  to  this 


initial  energy  level.  A  token  is  taken  out  when  transi¬ 
tion  T_ENERGY  fires.  The  transition  rate  of 
T_ENERGY  is  adjusted  on  the  fly  based  on  a  node's 
state:  it  is  lower  when  a  node  becomes  selfish  to  save 
energy  or  when  a  node  changes  its  membership  from 
a  member  to  a  non-member,  and  is  higher  when  the 
node  becomes  compromised  so  that  it  performs  at¬ 
tacks  more  and  consumes  energy  more.  Therefore, 
depending  on  the  node's  status,  its  energy  consump¬ 
tion  is  dynamically  changed. 

Healthiness:  A  node  is  compromised  when  transi¬ 
tion  T_COMPRO  fires.  The  transition  rate  to  transition 
T_COMPRO  is  modeled  as  1  /Tcomp  with  the  interval 
Temp  =  (rnark(Energy)  +  l)/Acom  where  Acom  is  the 
node  compromising  rate  initially  given,  and 
mark(Energy)  indicates  the  level  of  current  energy.  In 
practice,  Xcom  can  be  derived  from  first-order  approx¬ 
imation  of  historical  attack  data.  We  model  the  beha¬ 
vior  of  node  compromise  such  that  if  the  node  has  low 
energy,  it  is  more  likely  to  become  compromised,  and 
vice  versa.  If  the  node  is  compromised,  a  token  goes  to 
UCN,  meaning  that  the  node  is  being  compromised 
but  not  yet  detected  by  IDS.  While  the  node  is  not  de¬ 
tected  by  IDS,  it  has  a  chance  to  perform  good- 
mouthing  and  bad-mouthing  attacks  as  a  recom- 
mender  by  good-mouthing  a  bad  node  with  a  high 
trust  recommendation  and  bad-mouthing  a  good 
node  with  a  low  trust  recommendation  If  a  compro¬ 
mised  node  is  being  detected  by  IDS,  a  token  is  taken 
out  from  UCN  into  DCN  and  the  node  is  evicted  im¬ 
mediately  through  individual  rekeying.  We  model  a 
mobile  group  equipped  with  IDS  being  characterized 
by  false  alarm  probabilities.  A  false  negative  probabil¬ 
ity  (P}nS)  of  IDS  is  considered  in  T_1DS  which  has  the 
rate  of  (l  —  P}%s)/TIDs  and  a  false  positive  probability 
(PfpS)  of  IDS  is  considered  in  T_IDSFA  which  has  the 
rate  of  PfpS/TIDS,  where  TIDS  is  the  IDS  executing  in¬ 
terval. 

Unselfishness:  Place  SN  represents  whether  a  node 
is  selfish  or  not.  If  a  node  becomes  selfish  while  for¬ 
warding  a  packet,  a  token  goes  to  SN  by  triggering 
T_SELFISH.  We  consider  a  mobile  group  in  which  a 
node's  selfish  behavior  is  a  function  of  its  remaining 
energy,  the  mission  difficulty  and  the  neighborhood 
selfishness  degree.  Specifically,  the  transition  rate  to 
T_SELFISH  -  is  given  by: 

rate(T_SELF!SH ) 

_  f  (P remain)  f  ficulty)f  {^degree)  (12) 

where  Eremain  represents  the  node's  current  energy 
level  as  given  in  mark(Energy),  Mdifficulty  is  the  diffi¬ 
culty  level  of  the  given  mission,  Sdegree  is  the  degree 
of  selfishness  computed  based  on  the  ratio  of  selfish 
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nodes  to  unselfish  nodes  among  1-hop  neighbors  and 
Tgc  is  the  group  communication  interval  over  which  a 
node  may  decide  to  become  selfish  and  drop  packets. 
The  form  f(x )  =  ax~e  follows  the  demand-pricing 
relationship  in  Economics  [4]  to  model  the  effect  of  its 
argument  x  on  the  selfishness  behavior,  including: 

•  / (Eremain)-  If  a  node  has  a  higher  level  of  energy, 
it  is  less  likely  to  be  selfish.  This  is  to  consider  a 
node's  individual  welfare. 

•  f  {N dif f imity)’  If  a  node  is  assigned  to  a  mission 
with  a  high  degree  of  difficulty,  it  is  less  likely  to 
be  selfish.  This  is  to  take  global  welfare  into  con¬ 
sideration  for  achieving  a  given  mission  success¬ 
fully. 

•  / {^degree)'  If  a  node  has  a  higher  level  of  selfish¬ 
ness  among  its  1-hop  neighbors,  it  is  less  likely  to 
be  selfish.  This  is  because  a  node  will  contribute  to 
serving  to  achieve  the  mission  if  there  are  not 
many  healthy  nodes  around  it. 

Similarly  a  selfish  node  may  become  unselfish 
again  through  transition  T_REDEMP.  The  redemption 
rate  is  modeled  in  a  similar  way  as* 


rate  (T_REDEMP) 

_  f  (^ consumed)  f  (^  easiness)  f  ^  degree) 


At 


(13) 


where  Econsumed  is  the  amount  of  energy  consumed  as 
given  by  Einit  -  mark  (Energy),  Measiness  is  the  degree 
of  mission  easiness,  Hdegree  is  the  degree  of  unselfish¬ 
ness  among  1-hop  neighbors  and  At  is  the  trust  evalu¬ 
ation  window  over  which  a  selfish  node  may  decide 
to  become  unselfish  again.  The  form /(x)  =  ax~€  im¬ 
plies  the  following  physical  meanings: 

•  f(P consumed)'-  If  a  node  has  a  higher  level  of  energy 
already  consumed,  it  is  less  likely  to  be  redeemed. 
This  means  that  when  a  node  has  low  energy,  it 
wants  to  further  save  its  energy  considering  its 
own  individual  benefit. 

•  f  (M easiness)’-  If  a  node  is  assigned  with  an  easier 
mission,  it  is  less  likely  to  be  redeemed.  An  easier 
mission  may  not  burden  the  node's  neighboring 
nodes,  and  thus  a  selfish  node  may  want  to  stay 
being  selfish. 

•  f(H degree)’-  If  a  node  has  a  higher  level  of  unsel¬ 
fishness  among  its  1-hop  neighbors,  it  is  less  likely 
to  be  redeemed.  When  a  node  believes  that  there 
are  other  unselfish  nodes  to  service  a  given  mis¬ 
sion,  it  may  stay  being  selfish  to  save  its  energy. 

The  overall  system  SPN  model  consists  of  a  large 
number  of  node  SPN  models,  one  for  each  node  in  the 
system.  To  reduce  computational  complexity,  we  only 
run  one  node  SPN  model  at  a  time.  We  develop  a 
novel  iterative  technique  to  solve  the  system  SPN 
model.  In  the  first  round  of  iteration,  since  there  is  no 
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information  available  about  other  nodes,  each  area  is 
assumed  to  have  an  equal  number  of  nodes  and  all 
nodes  are  assumed  to  be  healthy,  unselfish,  and  un¬ 
compromised.  In  the  second  round  of  iteration,  based 
on  the  information  collected  (e.g.,  numbers  of  healthy, 
selfish,  or  undetected  compromised  nodes  as  1-hop 
neighbors)  from  the  first  round  of  node  SPN  models 
and  also  the  location  information,  each  node  knows 
how  many  nodes  are  1-hop  neighbors  that  can  directly 
communicate  with  it  and  their  conditions  whether 
they  are  selfish  or  compromised,  as  well  as  how  many 
N-hop  neighbors  it  has  at  time  t .  It  then  adjusts  its 
conditions  of  1-hop  neighbors  at  time  t  with  the  out¬ 
puts  obtained  from  the  /*  round  of  iteration  as  inputs 
to  the  (Z+l)01  round  of  iteration.  This  process  continues 
until  a  specified  convergence  condition  is  met.  We  use 
the  Mean  Percentage  Difference  (MPD)  to  measure  the 
difference  between  critical  design  parameter  values, 
including  a  node's  actual  energy  level,  unselfish  prob¬ 
ability,  and  undetected  compromised  probability  at 
time  t  in  two  consecutive  iterations.  The  iteration 
stops  when  the  MPD  is  below  a  threshold  (1%)  for  all 
nodes  in  the  system.  The  node  SPN  models  for  node  i 
after  convergence  will  produce  model  outputs  allow¬ 
ing  objective  trust  evaluation  of  Tjintimacy  (t), 
Tjh‘althy(t ),  T*ner9y(t)  and  TjUnselflsh(t). 

Objective  Trust  Evaluation  -  With  the  node  beha¬ 
viors  modeled  by  the  overall  system  SPN  model  de¬ 
scribed  above,  the  objective  trust  evaluation  of  node;, 
i.e.,  Tjintimacy (0,  7} 'lW (t),  Tfner9y (t)  and 

junseifish ^  can  obtained  based  on  exact  global 

knowledge  about  node  j  as  modeled  by  its  node  SPN 
model  that  has  met  the  convergence  condition  with 
the  location  information  supplied.  To  calculate  each  of 
these  objective  trust  probabilities  of  node/,  one  would 
assign  a  reward  of  rs  with  state  s  of  the  underlying 
semi-Markov  chain  of  the  SPN  model  to  obtain  the 
probability  weighed  average  reward  as  T;x(t)  = 
£ses(rs  *  P5(0)  f°r  X  =  healthiness,  energy  or  unsel¬ 
fishness,  and  as  T;X(t)  =  f  fjli  dt  for  x  = 

intimacy.  Here  S  indicates  the  set  of  states  in  the  un¬ 
derlying  semi-Markov  chain,  Ps(t)  is  the  probability 
that  the  system  is  in  state  s  at  time  t,  and  rs  is  the  re¬ 
ward  to  be  assigned  to  state  s.  Table  1  summarizes 
specific  reward  assignments  used  to  calculate 

Tintimacy(t)t  T  healthy  ^  ^nergy^  and  ^unselfish  (t)  as 


In  Table  1,  Er  is  the  energy  threshold  below  which 
the  trust  toward  a  node  in  energy  goes  to  the  worst 
trust  level.  Once  objective  trust  values  of  node  /,  i.e.. 


Tintimacy{t)' 


healthy  ✓ 


I  w.  (t).  T;ner9y(t)  and  r;nse,^(t), 

are  obtained,  we  can  calculate  the  overall  average  ob¬ 
jective  trust  value  of  node  j,  Tj SQTrust (t),  based  on  Eq- 


Table  1:  Reward  Assignments  for 
Objective  Trust  Evaluation. 

Component  trust 
probability 
toward  node  / 

rs :  reward  assignment  to  state  s 

j  intimacy 

1  if  mark(j’s  location )  is  in  a  partic¬ 
ular  area  at  time  t;  0  otherwise 

j  healthy 

1  if  ( mark(j'sDCN )  =0 
&  mark(j's  UCN )  =  0);  0  otherwise 

T™°y{c> 

1  if  (mark(j's  Energy )  >  ET); 

0  otherwise 

^unselfish 

1  if  (markups  SN )  =  0 
&  mark(j's  member )  >  0), 

0  otherwise 

Table  2:  Reward  Assignments  for 
Subjective  Trust  Evaluation. 


Component  trust 
probability  of  node 
i  toward  node  / 

rs :  reward  assignment  to  state  s 

j.1  -  hop.direct,  intimacy  ^ 

1  if  i  and  j  are  in  the  same  area  within 

last  dAt;  0  othenvise 

j,\-hop,direct.healthy 

1  if  ( mark(j's  DCN)  *  0),  0  othenvise 

-hop.direct. energy  ^ 

l'J 

1  if  ( mark(j's  Energy )  >  £»; 

0  otherunse 

j.1  -hop.dircctunselfish,  v 

1 l.J 

1  if  (mark(fs  SN)  =  0 

&  mark(j's  member)  >  0); 

0  otherunse 

uation  8. 

Subjective  Trust  Evaluation  -  Unlike  objective  trust 
evaluation,  subjective  trust  evaluation  is  based  on  Eq¬ 
uations  1-7.  The  only  knowledge  a  node  has  about 
other  nodes  at  time  t  is  the  intimacy,  energy  and  un¬ 
selfishness  behaviors  of  its  1-hop  neighbors  (but  not 
healthiness  which  is  most  likely  concealed  by  a  com¬ 
promised  node)  through  monitoring,  overhearing  and 
snooping  techniques.  For  the  healthiness  trust  com¬ 
ponent,  node  i  knows  node  j  is  compromised  only 
when  IDS  announces  the  eviction  message  to  the  mo¬ 
bile  group,  i.e.,  when  node  /'  s  DCN  (in  Figure  1)  be¬ 
comes  nonempty.  Thus,  we  can  also  easily 
put er^  d,r*ct'  'ntimacy(t), 


Tl-hop  direct,  energy 

li.j 


j.\-hop,  direct,  healthy  s  x 
li.j 

-hop  direct,  unselfish , 


(0  and  r.™  a,retl' 
from  the  SPN  model  through  reward  assignments. 
Table  2  summarizes  specific  reward  assignments  used 
to  obtain  these  subjective  trust  beliefs.  Note  that  here 
the  probability  weighted  average  reward  will  need  to 
be  calculated  from  the  outputs  of  the  node  SPN  mod¬ 
els  for  nodes  i  and  ;  as  the  trust  evaluation  is  subjec¬ 
tive. 

In  Table  2,  A t  is  the  trust  evaluation  window.  The 
subjective  trust  component  probabilities  at  k  hops,  i.e., 


T 


tj 


'(0,  r. 


i.i 


'(0. 


rpk -hop, energy 


and  T^j  h°Punselflsh^f  can  then  be  obtained  through 
Equation  4  which  is  applied  recursively  through  Equ- 


ations  5  and  6.  Then  the  subjective  trust  evaluation  of 
node  j,  i.e.,  T}ntimacy(.t),  Tjhealthy  (t),  T'ners,y{t)  and 
7 .unselfish^  can  bc  calculated  through  Equation  7 , 
and,  subsequently,  the  overall  average  subjective  trust 
value  of  node  j,  TjSQTrust  (t),  can  be  obtained  through 
Equation  8.  This  last  quantity  is  to  be  compared  with 
that  obtained  through  objective  trust  evaluation  dis¬ 
cussed  above  as  the  basis  for  validating  the  design  of 
SQTrust.  It  should  be  noted  that  a  node  that  is  de¬ 
tected  compromised  by  IDS  will  be  evicted  and  the 
eviction  decision  will  be  made  known  to  all  nodes  by 
the  mobile  group.  Therefore,  there  is  no  need  for  node 
i  to  do  peer-to-peer  subjective  trust  evaluation  toward 
node  j  based  on  Tj  /(t)  after  learning  that  node  j  has 
been  evicted  at  time  t. 

5  Evaluation  Results 

In  this  section,  we  show  numerical  data  resulting  from 
subjective  trust  evaluation  based  on  SQTrust  and 
compare  the  results  obtained  from  objective  trust 
evaluation. 


Table  3:  Default  Parameter  Values  Used. 


Parameter 

Value 

Parameter 

Value 

A/*  A/ 

6^6 

R 

250m 

a 

1 

MfiM: 

0  85  0  55 

e 

1.2 

n 

5 

Pifr 

Variable 

d 

2 

W,,  Wj.Wj.W4 

025 

nlDS  nlDS 

*rfp 

0.5% 

TR 

Variable 

1  />Un 

8400s 

Smli 

(0,  2]  m/s 

At 

1200s 

7V 

120  5 

Em 

[12,  24]  hrs 

Tms 

600s 

Et 

0  hrs 

_ sill _ 

uniform  distribution  over  [0,  77?] 

Table  3  lists  the  default  parameter  values  used.  We 
populate  a  MANET  with  150  nodes  moving  randomly 
in  6x6  operational  areas,  with  each  area  covering  250m 
radio  radius.  We  use  all  1-hop  neighbors  as  the  re- 
commenders  for  indirect  trust  evaluation.  The  envi¬ 
ronment  being  considered  is  assumed  hostile  and  in¬ 
secure  with  the  compromising  rate  set  to  once  per  140 
minutes.  When  a  node  turns  malicious,  it  performs 
good-mouthing  and  bad-mouthing  attacks,  i.e.,  it  will 
provide  the  highest  trust  recommendation  toward  a 
bad  node  to  facilitate  collusion,  and  conversely  the 
lowest  trust  recommendation  toward  a  good  node  to 
ruin  the  reputation  of  the  good  node.  When  a  mali¬ 
cious  node  is  detected  by  the  IDS,  the  trust  level  of  the 
malicious  node  drops  to  zero,  thereby  nullifying  its 
good-mouthing  and  bad-mouthing  attacks.  The  initial 
trust  level  is  set  to  1  for  healthiness,  energy  and  unsel¬ 
fishness  because  all  nodes  are  considered  trustworthy 
initially.  The  initial  trust  level  of  intimacy  is  set  to  the 
probability  that  another  node  is  found  in  the  same 
location  in  accordance  with  the  intimacy  definition. 
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We  vary  the  values  of  important  parameters  such  as 
/?i:  /?2  (with  higher  /?i  meaning  more  direct  observa¬ 
tions  or  self-information  being  used  for  subjective 
trust  evaluation),  u^:  w2:  vv3:  w4  (the  weight  ratio  for 
the  4  trust  components  considered),  Mi  and  M2  (the 
minimum  trust  level  and  drop-dead  trust  level),  and 
TR  (the  mission  completion  deadline)  to  test  the  sensi¬ 
tivity  of  the  results  with  respect  to  these  design  para¬ 
meters. 


1 
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0  2 
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♦  objective  intimacy 

■  subjective  intimacy  -  90%  direct  evaluation 
subjective  intimacy  *  80%  direct  evaluation 
subjective  intimacy  -  70%  direct  evaluation 
subjective  intimacy  -  60%  direct  evaluation 
subjective  intimacy  -  50%  direct  evaluation 
subjective  intimacy  *  40%  direct  evaluation 
subjective  intimacy  -  30%  direct  evaluation 
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Figure  2:  Intimacy  Evaluation. 
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Figure  3:  Healthiness  Evaluation. 
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Figure  4:  Energy  Evaluation. 
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♦  objective  unselfishness 

■  subjective  unselfishness  -  90%  direct  evaluation 


*  subjective  unselfishness  -  80%  direct  evaluation 
M  subjective  unselfishness  -  70%  direct  evaluation 
m  subjective  unselfishness  -  60%  direct  evaluation 
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time  (min.) 

Figure  5:  Unselfishness  Evaluation. 

♦  objective  overali  trust 

■  •  subjective  overali  trust  -  90%  direct  evaluation 
»  subjective  overall  trust  -  80%  direct  evaluation 
H  subjective  overall  trust  -  70%  direct  evaluation 
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Figure  6:  Overall  Trust  Evaluation. 

To  reveal  which  trust  component  might  have  a 
more  dominant  effect,  we  show  individual  trust  com- 
poncnt  values,  i.e.,  Tjntlmacy {t) ,  Tjhealthy {t),  T™r9y{t) 
and  7 -unselfish^  for  nocje  ranciomly  picked.  Other 

nodes  exhibit  similar  trends  and  thus  only  one  set  of 
results  is  shown  here.  Figures  2-5  show  the  node's 
trust  values  as  a  function  of  mission  execution  time 
for  intimacy,  healthiness,  energy  and  unselfishness, 
respectively,  with  f3\:  /^varying  from  0.3:  0.7  (30%  di¬ 
rect  evaluation:  70%  indirect  evaluation)  to  0.9:  0.1 
(90%  direct  evaluation:  10%  indirect  evaluation).  We 
see  that  for  all  4  trust  components,  subjective  trust 
evaluation  results  are  closer  and  closer  to  objective 
trust  evaluation  results  as  we  use  more  conservative 
direct  observations  or  self-information  for  subjective 
trust  evaluation.  However,  there  is  a  cutoff  point  (at 
about  75%)  after  which  subjective  trust  evaluation 
overshoots.  This  indicates  that  using  too  much  direct 
observations  for  subjective  trust  evaluation  may  over¬ 
estimate  trust  because  there  is  little  chance  for  a  node 
to  use  indirect  observations  from  trustworthy  recom- 
menders.  Our  analysis  allows  such  a  cutoff  point  to  be 


determined  . 

Figure  6  shows  the  node's  overall  trust  values  ob¬ 
tained  from  subjective  trust  evaluation  vs.  objective 
trust  evaluation,  also  as  a  function  of  time.  We  ob¬ 
serve  that  the  subjective  trust  evaluation  curve  is  rea¬ 
sonably  close  to  the  objective  trust  evaluation  curve, 
but  again  there  is  a  cutoff  point  after  which  SQTrust 
overestimates  trust  compared  to  objective  trust.  Nev¬ 
ertheless,  Figures  2-6  demonstrate  that  subjective  trust 
evaluation  results  can  be  very  close  to  objective  trust 
evaluation  results  when  the  right  amount  of  direct 
observations  is  used  for  subjective  trust  evaluation. 

6  Effect  of  Trust  Management  on 
Reliability 

To  demonstrate  the  effect  of  subjective  trust  evalua¬ 
tion  on  the  reliability  of  mission-oriented  mobile 
groups  in  MANETs,  we  turn  our  attention  to  the  mis¬ 
sion  success  probability  defined  by  Equation  10.  We 
consider  an  application  scenario  in  which  a  com¬ 
mander  node,  say  node  i,  dynamically  selects  n  nodes 
(h=5  in  the  case  study)  which  it  trusts  most  out  of  ac¬ 
tive  mobile  group  members  for  mission  execution.  We 
consider  dynamic  team  membership  such  that  after 
each  trust  evaluation  window  At  the  commander  will 
reselect  its  most  trusted  nodes  for  mission  executions 
based  on  its  peer-to-peer  subjective  evaluation  values 
Ti  j(t)  toward  nodes  j's  as  calculated  from  Equation  1. 
The  rationale  behind  dynamic  membership  is  that  the 
commander  may  exercise  its  best  judgment  to  select  n 
most  trusted  nodes  to  increase  the  probability  of  suc¬ 
cessful  mission  execution.  Assume  that  all  n  nodes 
selected  at  time  t  are  critical  for  mission  execution 
during  [t,  f+At]  so  that  if  any  one  node  selected  fails, 
the  mission  fails.  We  can  then  apply  Equations  10  and 
11  to  compute  Pmission  over  an  interval  [t,  f+At],  Since 
all  time  intervals  are  connected  in  a  series  structure, 
Pmission  over  the  overall  mission  period  [0,  TR]  can  be 
computed  by  the  product  of  individual  Passion's  over 
intervals  [0,  At],  [At,  2At],  ...,  [TR-At,  TR], 

Figure  7  shows  the  mission  success  probability 
P mission  as  a  function  of  TR.  To  examine  the  effect  of 
w1:w2:w3:wA  (the  weight  ratio  for  the  4  trust  compo¬ 
nents  considered  in  this  paper),  we  consider  5  test  cas¬ 
es:  (a)  equal-weight ,  (b)  social  trust  only,  (c)  QoS  trust 
only,  (d)  more  social  trust,  and  (e)  more  QoS  trust  as 
listed  in  Table  4. 


Table  4:  Test  Cases  for  Weight  Ratio. 


Test  case 

Weight  ratio 

Equal-weight 

w1:w2:vv3:W4  =  0.25:0.25:0.25:0,25 

Social  trust  only 

w,:  w2:  w3:w4  =  0.5: 0.5: 0-0 

QoS  trust  only 

wl:w2:w3:wi  =  0:  0:0.5:  0.5 

More  social  trust 

w1:w2:  w3:w4  =  0.35:0.35:0.15:0.15 

More  QoS  trust 

wi:w2:w3:wA  =  0.15:0,15:0.35:0.35 

P  mission  P  mission  p  mission 
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Legend: 

♦  objective  Pmission 

- subjective  Pmission 

■  subjective  Pmission 

*  "  subjective  Pmission 

M  subjective  Pmission 

»  subjective  Pmission 

•  subjective  Pmission 

♦  subjective  Pmission 

subjective  Pmission 


optimai  %  direct  evaiuation 
90%  direct  evaiuation 
80%  direct  evaluation 
70%  direct  evaluation 
60%  direct  evaiuation 
50%  direct  evaiuation 
40%  direct  evaiuation 
30%  direct  evaiuation 


(a)  Equal-Weight. 


(b)  Social  Trust  Only. 


TR  -  mission  completion  deadline  (min.) 

(d)  More  Social  Trust. 


(c)  QoS  Trust  Only. 


TR  -  mission  completion  deadline  (min  ) 

(e)  More  QoS  Trust. 

Figure  7:  Mission  Success  Probability:  Subjective  vs. 

Objective  Evaluation. 

For  all  test  cases  we  see  that  as  TR  increases,  the 
mission  success  probability  decreases  because  a  long¬ 
er  mission  execution  time  increases  the  probability  of 
low-trust  nodes  becoming  members  of  the  team  for 
mission  execution  For  comparison,  the  mission  suc¬ 
cess  probability  Pmission  based  on  objective  trust  eval¬ 
uation  results  is  also  shown,  representing  the  ideal 
case  in  which  node  i  has  global  knowledge  of  status  of 
all  other  nodes  in  the  system  and  therefore  it  always 
picks  n  truly  most  trustworthy  nodes  in  every  At  in¬ 
terval  for  mission  execution.  For  each  case,  we  also 
show  the  optimal  fin  /?2  ratio  (with  higher  /?i  meaning 
more  direct  observations  or  self-information  being 
used  for  subjective  trust  evaluation)  at  which 
Pmission  obtained  based  on  subjective  trust  evaluation 
results  is  virtually  identical  to  Pmission  obtained  based 
on  objective  trust  evaluations. 

We  observe  that  as  more  social  trust  is  being  used 
for  subjective  trust  evaluation,  the  optimal  /?r.  ^2  ratio 
increases,  suggesting  that  social  trust  evaluation  is 
very  subjective  in  nature  and  a  node  would  rather 
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trust  its  own  interaction  experiences  more  than  rec¬ 
ommendations  provided  from  other  peers,  especially 
in  the  presence  of  malicious  nodes  that  can  perform 
good-mouthing  and  bad-mouthing  attacks.  Also  again 
we  observe  that  while  using  more  conservative  direct 
observations  or  self-information  for  subjective  trust 
evaluation  in  general  helps  bringing  subjective 
P mission  closer  to  objective  Passion*  and  there  is  a  cutoff 
point  after  which  subjective  trust  evaluation  over¬ 
shoots. 

Figure  7  demonstrates  the  effectiveness  of  SQTrust. 
We  sec  that  the  mission  success  probability  as  a  result 
of  executing  subjective  trust  evaluation  is  very  close  to 
that  from  objective  trust  evaluation,  especially  when 
we  use  more  but  not  excessive  direct  observations  for 
subjective  trust  evaluation.  When  given  a  mission  con¬ 
text  characterized  by  a  set  of  model  parameter  values 
defined  in  Table  3,  the  analysis  methodology  devel¬ 
oped  in  this  paper  helps  identify  the  best  weight  of 
direct  observations  (i.e.,  (3\:  fc)  to  be  used  for  subjec¬ 
tive  trust  evaluation,  so  that  SQTrust  can  be  fine- 
tuned  to  yield  results  close  to  those  by  objective  trust 
evaluation  based  on  actual  knowledge  of  node  status. 

•  (wl;w2:w3w4  =0.5:0. 5:0:0)  -  social  trust  only 

H  (wl:w2  w3  w4=0  35:0.35:0.15:0  15)  -  more  social  trust 

♦  (wl:w2:w3  w4=0  25  0.25:0  25:0.25)  -  equal  weight  trust 
"  W  —  (wl  w2  w3  w4=0  15:0. 15:0.35.0.35)  -  more  QoS  trust 

"  (wl  w2  w3  w4=0  0:0.5  0.5)  -  QoS  trust  only 


Figure  8:  Effect  of  wx:w2'  w3:  w4  on  Mission  Success 
Probability. 


In  Figure  8  we  compare  PmiSSion  vs.  77^  for  the  mis- 
sion  group  under  various  iva:  w2:  w3:  iv4  ratios,  with 
each  operating  at  its  optimal  jh\p2  ratio  so  that  in  each 
test  case  subjective  PmiSSion  ls  virtually  the  same  as 
objective  PmiSSion •  VVe  sec  that  "social  trust  only"  pro¬ 
duces  the  highest  system  reliability,  while  "QoS  trust 
only"  has  the  lowest  system  reliability  among  all, 
suggesting  that  in  this  case  study  social  trust  metrics 
used  (intimacy  and  healthiness)  arc  able  to  yield  high¬ 
er  trust  values  than  those  of  QoS  trust  metrics  used 
(energy  and  selfishness).  Certainly,  this  result  should 
not  be  construed  as  universal.  When  given  a  mission 
context  characterized  by  a  set  of  model  parameter 


values  defined  in  Table  3,  the  model-based  analysis 
methodology  developed  in  this  paper  helps  identify 
the  best  vv1:w2:w3:  vv4  ratio  to  be  used  to  maximum 
the  system  reliability. 

♦  Ml  =  0.60,  M2  =  0.55  (90%  direct  evaluation) 

■  Ml  =  0  65,  M2  =  0  55  (90%  direct  evaluation) 

»  Ml  =  0,70,  M2  =  0,55  (88%  direct  evaluation) 

— M —  Ml  -  0.75,  M2  -  0.55  (85%  direct  evaluation) 

■  M'—  Ml  *  0.80,  M2  =  0.55  (83%  direct  evaluation) 

•  Ml  =  0.85,  M2  =  0  55  (82%  direct  evaluation) 
t  Ml  =  0.90,  M2  * 0.55  (82%  direct  evaluation) 

Ml  =  0.95,  M2  =  0.55  (82%  direct  evaluation) 


Figure  9:  Effect  of  Ml  on  Mission  Success  Probability. 


♦  Ml  =  0  95,  M2  =  0.50  (82%  direct  evaluation) 

•  -'Ml  =  0  95,  M2  «  0.55  (82%  direct  evaluation) 
—A — Ml  =  0  95,  M2  *  0  60  (82%  direct  evaluation) 

»4-  Ml  =  0.95,  M2  =  0.65  (82%  direct  evaluation) 


Figure  10:  Effect  of  M2  on  Mission  Success  Probability. 


Lastly  we  analyze  the  effect  of  mission  trust  thre¬ 
sholds  Mi  (the  minimum  trust  level  required  for  suc¬ 
cessful  mission  completion)  and  M2  (the  drop  dead 
trust  level).  Figures  9  and  10  show  PmiSSion  vs.  TR  for 
the  system  operating  under  optimal  w1:  w2:  vv3-  vv4  and 
settings  for  each  (Mi,  M2)  combination.  Recall 
that  Mi  and  M2  represent  the  belief  if  a  node  is  consi¬ 
dered  trustworthy  for  mission  execution.  From  Figure 
9,  we  see  that  as  Mi  increases,  the  system  reliability 
decreases  because  there  is  a  smaller  chance  for  a  node 
to  satisfy  the  high  threshold  for  it  to  be  completely 
trustworthy  for  mission  execution.  Similarly  from 
Figure  10,  we  sec  that  as  M2  increases,  the  system  re¬ 
liability  decreases  because  there  is  a  higher  chance  for 
a  node  to  be  completely  untrustworthy  for  mission 
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execution.  We  also  observe  that  the  reliability  is  more 
sensitive  to  Mi  than  M2.  A  system  designer  can  set 
proper  Mi  and  M2  values  based  on  the  mission  context 
such  as  the  degree  of  difficulty  and  mission  comple¬ 
tion  deadline,  utilizing  the  model-based  methodology 
developed  in  the  paper  to  analyze  the  effect  of  Mi  and 
M2  so  as  to  improve  the  system  reliability. 

7  Conclusion 

In  this  paper  we  have  proposed  and  analyzed  a 
trust  management  protocol  called  SQTrust  that  incor¬ 
porates  both  social  and  QoS  trust  metrics  for  subjec¬ 
tive  trust  evaluation  of  mobile  nodes  in  MANETs.  The 
most  salient  feature  of  SQTrust  is  that  it  is  distributed 
and  dynamic,  only  requiring  each  node  to  periodically 
estimate  its  degree  of  social  and  QoS  trust  toward  its 
peers  local  or  distance  away.  We  developed  a  model- 
based  methodology  based  on  SPN  techniques  for  de¬ 
scribing  the  behavior  of  a  mobile  group  consisting  of 
behaved,  malicious  and  selfish  nodes.  By  applying  an 
iterative  technique  for  solving  the  large  SPN  model, 
we  allow  the  objective  trust  values  of  nodes  to  be  calcu¬ 
lated  based  on  global  knowledge  regarding  status  of 
nodes  as  time  progresses,  which  serves  as  the  basis  for 
performance  evaluation  against  SQTrust.  We  demon¬ 
strated  that  SQTrust  is  able  to  provide  subjective  trust 
evaluation  results  close  to  objective  trust  evaluation 
results,  thus  supporting  its  resiliency  property  to  bad- 
mouthing  and  good-mouthing  attacks  by  malicious 
nodes.  We  also  demonstrated  the  effect  of  SQTrust  on 
the  reliability  of  mission-oriented  mobile  groups,  veri¬ 
fied  by  the  exact  match  between  subjective  mission 
success  probability  and  objective  mission  success 
probability.  Finally,  we  analyzed  the  effects  of  key 
design  parameters  such  as  /?2(with  higher  mean¬ 
ing  more  direct  observations  or  self-information  being 
used  for  subjective  trust  evaluation),  w::  w2:  w3:  w4 
(the  weight  ratio  for  the  4  trust  components  consi¬ 
dered),  Mi  and  M 2  (the  minimum  trust  level  and  drop- 
dead  trust  level),  and  TR  (the  mission  completion 
deadline)  on  the  system  reliability  of  a  mission- 
oriented  mobile  group  and  provided  guidelines  for 
fine-tuning  these  parameters  so  as  to  maximize  the 
system  reliability. 

In  the  future,  we  plan  to  extend  SQTrust  to  apply  to 
wireless  sensor  actuator  networks  with  a  hierarchical 
infrastructure,  and  we  plan  to  investigate  a  class  of 
mission-critical  applications  which  can  benefit  from 
subjective  trust  evaluation  protocols  that  consider 
both  social  and  QoS  trust  such  as  SQTrust  developed 
in  this  paper. 
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